pro tip for security researchers: do not look into pixelfed. genuinely. don't make the same mistake as this one.
finding something that only affects pixelfed users is one thing. but if you accidentally uncover issues in the federation logic like today's vuln, you have a moral obligation to cooperate with dansup. do yourself a favor and don't start digging, because you will dig yourself into a moral dilemma with the only way out being treated like shit by dansup.
it however finds it less morally justifiable to ever cooperate with someone who made transphobic insults to its friends than to cooperate on fixing the vulnerability this one found. it has weighed its options and the impact, and opts for non-disclosure out of principle.
and for pixelfed users, or users federating with pixelfed instances: this one is actively advocating for security researchers to stay away from that software and knows about an not-yet-exploited zeroday. you know what that means for you: do not touch pixelfed.
⬡-49016
in reply to ⬡-49016 • • •Sensitive content
Pixelfed leaks private posts from other Fediverse instances - fiona fokus
fokus.coolAsta [AMP] likes this.
reshared this
webhat, Merlin (Evaluation License) and Federico Mena Quintero reshared this.